Security+: Implementing Identity and Access Management (IAM) Controls

Identity and access management (IAM) are among the most essential information security controls. After all, making sure a user actually is who he/she is claiming to be before providing access based on the minimal privilege principle is a sound way of ensuring data confidentiality, integrity, and even availability.

CompTIA’s Security+ dedicates an entire domain to IAM, representing 16% of the exam questions. Since most of the Security+ focuses on real-world situations, it stands to reason that, given a scenario, candidates must have the skills necessary to implement identity and access management controls.

Here is a list of IAM controls exam takers should be aware:

  1. Access control models: In order to implement IAM, it is necessary to have a way of defining what an object (i.e., a user or a process) can interact with other securable objects. Access control models are responsible for just that: They are used to create a paradigm that defines the relationships among permissions, operations, objects, and subjects. There are a few different models that Security+ candidates must understand:
  • MAC: In the mandatory access control model, users have limited power (or even no power at all) for defining who can access their files. Access policies are enforced by the system administrator, for example, by creating clearance levels for users and classifying data (i.e., public, confidential, secret, or top secret). A user with the clearance level “secret” can access data classified within this category, but cannot grant access to another user, even when they are considered data-owners.
  • DAC: Using the discretionary access control model, users can be defined as a “data owners,” which means that they can determine who can access specific resources within their ownership. For example, a user can create a file and set it up in a way that (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Claudio Dodt. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/HyKK2F_ckPE/